Merge branch 'master' into docs-rel-4-8-a

Author: addetz

_partials/pcg/_pcg-initial-installation.mdx

@@ -24,13 +24,15 @@ partial_name: pcg-initial-installation
     | **Allow Insecure Connection**  | Bypass x509 server Certificate Authority (CA) verification. Enter `y` if you are using a self-hosted Palette or Palette VerteX instance with self-signed TLS certificates and need to provide a file path to the instance CA. Otherwise, enter `n`. |
     | **Spectro Cloud API Key**      | Enter your Palette API Key. Refer to the <VersionedLink text="Create API Key" url="/user-management/authentication/api-key/create-api-key" /> guide for more information.                                                                                                           |
     | **Spectro Cloud Organization** | Select your Palette organization name.                                                                                                                                                                                                                             |
-    | **Spectro Cloud Project**      | Select the project you want to register your {props.edition} account in.                                                                                                                                                                                                  |
+    | **Spectro Cloud Project**      | Select the Palette project you want to register your {props.edition} account in.                                                                                                                                                                                                  |
     | **Acknowledge**                | Accept the login banner message. Login banner messages are only displayed if the tenant admin enabled a login banner.                                                                                                                                              |
 
     :::info
 
-    The `CloudAccount.apiKey` and `Mgmt.apiKey` values in the **pcg.yaml** file are encrypted and cannot be manually
-    updated. To change these values, use the `palette pcg install --update-passwords` command. Refer to the <VersionedLink text="PCG command" url="/automation/palette-cli/commands/pcg#update-passwords" /> reference page for more information.
+    After completing the `palette pcg install` steps, the configuration details are saved to a file named `pcg.yaml` in the `~/.palette/pcg/pcg-<date-time>` directory.
+    The `CloudAccount.apiKey` and `Mgmt.apiKey` values in the `pcg.yaml` file are encrypted and cannot be manually updated. To change these values, use the
+    `palette pcg install --update-passwords` command. Refer to the <VersionedLink text="PCG command" url="/automation/palette-cli/commands/pcg#update-passwords" />
+    reference page for more information.
 
     :::
 
@@ -46,9 +48,9 @@ partial_name: pcg-initial-installation
     | **Management Plane Type**                            | Select **Palette** or **VerteX**.                                                                                                                                                                                                                                                          |
     | **Enable Ubuntu Pro (required for production)**      | Enter `y` if you want to use Ubuntu Pro and provide an Ubuntu Pro token. Otherwise, enter `n`.                                                                                                                                                                                      |
     | **Select an image registry type**                    | For a non-airgap installation, choose `Default` to pull images from public image registries. This requires an internet connection. For airgapped installations, select `Custom` and point to your airgap support VM or a custom internal registry that contains the required images. |
-    | **Share PCG Cloud Account across platform Projects** | Enter `y` if you want the cloud account associated with the PCG to be available from all projects within your organization. Enter `n` if you want the cloud account to only be available at the tenant admin scope.                                                                |
     | **Cloud Type**                                       | Select **{props.edition}**.                                                                                                                                                                                                                                                                  |
     | **Private Cloud Gateway Name**                       | Enter a custom name for the PCG.                                                                                                                                                                                                                       |
+    | **Share PCG Cloud Account across platform Projects** | Enter `y` if you want the cloud account associated with the PCG to be available from all projects within your organization. Enter `n` if you want the cloud account to only be available at the tenant admin scope.                                                                |
 
 5. If you want to configure your PCG to use a proxy network, complete the following fields, as appropriate.
 

_partials/permissions/_cloudstack-dynamic-permissions.mdx

@@ -0,0 +1,47 @@
+---
+partial_category: permissions
+partial_name: cloudstack-dynamic-permissions
+---
+**Last Update**: December 13, 2025
+
+```text
+assignToLoadBalancerRule
+associateIpAddress
+createAffinityGroup
+createEgressFirewallRule
+createLoadBalancerRule
+createNetwork
+createTags
+deleteAffinityGroup
+deleteNetwork
+deleteTags
+deployVirtualMachine
+destroyVirtualMachine
+disassociateIpAddress
+getUserKeys
+listAccounts
+listAffinityGroups
+listCapabilities
+listDiskOfferings
+listDomains
+listLoadBalancerRuleInstances
+listLoadBalancerRules
+listNetworkOfferings
+listNetworks
+listProjects
+listPublicIpAddresses
+listServiceOfferings
+listSSHKeyPairs
+listTags
+listTemplates
+listUsers
+listVPCs
+listVirtualMachines
+listVirtualMachinesMetrics
+listVolumes
+listZones
+queryAsyncJobResult
+startVirtualMachine
+stopVirtualMachine
+updateVMAffinityGroup
+```

_partials/permissions/_cloudstack-static-permissions.mdx

@@ -0,0 +1,47 @@
+---
+partial_category: permissions
+partial_name: cloudstack-static-permissions
+---
+**Last Update**: December 13, 2025
+
+```text
+assignToLoadBalancerRule
+associateIpAddress
+createAffinityGroup
+createEgressFirewallRule
+createLoadBalancerRule
+createNetwork
+createTags
+deleteAffinityGroup
+deleteNetwork
+deleteTags
+deployVirtualMachine
+destroyVirtualMachine
+disassociateIpAddress
+getUserKeys
+listAccounts
+listAffinityGroups
+listCapabilities
+listDiskOfferings
+listDomains
+listLoadBalancerRuleInstances
+listLoadBalancerRules
+listNetworkOfferings
+listNetworks
+listProjects
+listPublicIpAddresses
+listServiceOfferings
+listSSHKeyPairs
+listTags
+listTemplates
+listUsers
+listVPCs
+listVirtualMachines
+listVirtualMachinesMetrics
+listVolumes
+listZones
+queryAsyncJobResult
+startVirtualMachine
+stopVirtualMachine
+updateVMAffinityGroup
+```

_partials/self-hosted/feature-flags/_feature-flags-intro.mdx

@@ -18,6 +18,9 @@ The following table lists all available feature flags and their supported platfo
 | **AwsSecretPartition** | Configure [AWS Secret Cloud](https://aws.amazon.com/federal/secret-cloud/) accounts and deploy EKS clusters in AWS Secret cloud. Refer to our <VersionedLink text="Register and Manage AWS Accounts" url="/clusters/public-cloud/aws/add-aws-accounts#aws-secret-cloud-account-us" /> guide for more information.                                                                                                                                                         |         :x:         |     :white_check_mark:     |
 | **AzureUSSecretCloud** | Configure [Azure Government Secret cloud](https://azure.microsoft.com/en-us/explore/global-infrastructure/government/national-security) accounts and deploy Azure IaaS clusters in Azure Government Secret cloud. Refer to our [Register and Manage Azure Accounts](/clusters/public-cloud/azure/azure-cloud/#azure-government-secret-cloud) guide for more information.                                                                                                                                                                                                                                    |         :x:         |     :white_check_mark:     |
 | **LxdMaas**            | Spawn multiple control plane nodes as LXD VMs and consolidate them on MAAS-managed servers while your worker nodes run on bare metal devices. Refer to our <VersionedLink text="Create and Manage MAAS Clusters Using LXD VMs" url="/clusters/data-center/maas/create-manage-maas-lxd-clusters/" /> guide for more information.                                                                                                                                            | :white_check_mark:  |     :white_check_mark:     |
+| **ApacheCloudStack**            | Allows for the creation of workloads on Apache CloudStack. Refer to our <VersionedLink text="Create and Manage Apache CloudStack Clusters" url="/clusters/data-center/cloudstack/create-manage-cloudstack-clusters/" /> guide for more information.                                                                                                                                            | :white_check_mark:  |     :white_check_mark:     |
+
+
 
 :::warning
 

docs/docs-content/clusters/data-center/cloudstack/_category_.json

@@ -0,0 +1,3 @@
+{
+  "position": 30
+}

docs/docs-content/clusters/data-center/cloudstack/add-cloudstack-accounts.md

@@ -0,0 +1,85 @@
+---
+sidebar_label: "Add CloudStack Accounts"
+title: "Add CloudStack Accounts to Palette"
+description: "Learn how to register and manage your CloudStack accounts in Palette."
+hide_table_of_contents: false
+sidebar_position: 20
+tags: ["data center", "cloudstack"]
+---
+
+:::preview
+
+This is a Tech Preview feature and is subject to change. Do not use this feature in production workloads. This feature
+is supported in self-hosted Palette only.
+
+:::
+
+You can register Apache CloudStack accounts in Palette to create and manage Kubernetes clusters in your CloudStack
+environment.
+
+## Prerequisites
+
+- The **ApacheCloudStack** [feature flag](../../../enterprise-version/system-management/feature-flags.md) is enabled.
+
+- An installed [Private Cloud Gateway (PCG)](../../pcg/pcg.md) that connects to your CloudStack environment. Review
+  [Deploy a PCG in CloudStack](../../pcg/deploy-pcg/cloudstack.md) for guidance.
+
+  :::info
+
+  If you have a self-hosted Palette or VerteX instance with network connectivity to the CloudStack environment, you can
+  use a System Private Gateway to add CloudStack accounts. Refer to the
+  [System Private Gateway](../../pcg/architecture.md#system-private-gateway) guide to learn more.
+
+  :::
+
+- A CloudStack user account with the required permissions to deploy workload clusters in the CloudStack environment.
+  Review [Required Permissions for CloudStack](required-permissions.md) to learn more about the required permissions.
+
+- Access to your CloudStack environment with the following information:
+
+  - The CloudStack API endpoint URL. For example, `https://cloudstack.example.com:8443/client/api` or
+    `https://management-server-ip:8080/client/api`.
+
+  - A CloudStack API key and Secret key for the user account that will be used to deploy workload clusters. Refer to the
+    [Using API Key and Secret Key based Authentication](https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#using-api-key-and-secret-key-based-authentication)
+    guide about API and Secret keys.
+
+  - The [CloudStack domain](https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#domains) name for the
+    user account that will be used to deploy workload clusters.
+
+  - The Certificate Authority (CA) certificate for your CloudStack environment if it uses a custom or self-signed TLS
+    certificate.
+
+## Register a CloudStack Account
+
+1. Log in to Palette as a tenant admin.
+
+2. From the left main menu, select **Tenant Settings > Infrastructure > Cloud Accounts**.
+
+3. Locate **CloudStack** and click **Add CloudStack Account**.
+
+4. Fill out the following input values and click **Confirm** to continue.
+
+   | **Field**                        | **Description**                                                                                                                                                                          |
+   | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+   | **Account name**                 | A custom name for the CloudStack account. This is used by Palette to identify the account.                                                                                               |
+   | **select private cloud gateway** | Select the PCG from the list of deployed PCGs in your setup.                                                                                                                             |
+   | **API URL**                      | Enter the CloudStack API endpoint URL. For example, `https://cloudstack.example.com:8443/client/api` or `https://management-server-ip:8080/client/api`.                                  |
+   | **API Key**                      | Enter the CloudStack API key for the user account that has permissions to deploy workload clusters.                                                                                      |
+   | **Secret Key**                   | Enter the CloudStack Secret key for the user account that has permissions to deploy workload clusters. Click **Validate** to verify the connection.                                      |
+   | **Domain**                       | Enter the CloudStack [domain](https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#domains) name for the user account that has permissions to deploy workload clusters. |
+   | **Allow Insecure Connection**    | Enable this option if you want to skip TLS certificate verification for your CloudStack environment.                                                                                     |
+
+5. After filling out the required information, click **Confirm** to add the CloudStack account to Palette.
+
+## Validate
+
+1. Log in to Palette as a tenant admin.
+
+2. From the left main menu, select **Tenant Settings > Infrastructure > Cloud Accounts**.
+
+3. Verify that the CloudStack account you added appears in the CloudStack accounts list.
+
+## Next Steps
+
+- Learn how to [Create and Manage CloudStack Clusters](create-manage-cloudstack-clusters.md) in Palette.

docs/docs-content/clusters/data-center/cloudstack/architecture.md

@@ -0,0 +1,42 @@
+---
+sidebar_label: "Architecture"
+title: "Architecture"
+description: "Learn about the architecture used to support CloudStack clusters through Palette."
+hide_table_of_contents: false
+sidebar_position: 10
+tags: ["data center", "cloudstack", "architecture"]
+---
+
+:::preview
+
+This is a Tech Preview feature and is subject to change. Do not use this feature in production workloads. This feature
+is supported in self-hosted Palette only.
+
+:::
+
+Palette supports using
+[Apache CloudStack](https://docs.cloudstack.apache.org/en/latest/conceptsandterminology/concepts.html#cloud-infrastructure-overview)
+as a data center provider. You can deploy Kubernetes clusters to your CloudStack environment using Palette. The
+CloudStack management environment could include Bare Metal (via IPMI), Hyper-V, Kernel-based Virtual Machine(KVM), Linux
+Containers (LXC), vSphere (via vCenter), Xenserver and Xen Project. Below are some key features of the Palette
+CloudStack architecture:
+
+- Support for static IP addresses, as well as DHCP. If you are using Dynamic Host Configuration Protocol (DHCP), Dynamic
+  DNS is required.
+
+- Support for IP address pool management for assigning blocks of IPs dedicated to clusters or projects.
+
+- A Private Cloud Gateway (PCG) must be setup within the CloudStack environment to communicate with the Palette
+  management platform and the Apache CloudStack management platform that installed in the private data center.
+
+  The PCG facilitates communication between Palette and your infrastructure environment. The PCG is necessary in
+  environments where Palette does not have direct network access. Many infrastructure environments are placed in a
+  private network that blocks connections originating externally. The PCG connects to Palette, and acts as an endpoint,
+  allowing you to target the environment when deploying clusters in Palette.
+
+  ![CloudStack VPC Static Flow](/clusters_pcg_architecture_cloudstack_overview_diagram.webp)
+
+- Support for Projects within a Domain. You can use Apache CloudStack projects to separate workload resources among
+  different teams, as CloudStack tracks resource usage per project and per user.
+
+You can learn more in the [PCG Architecture](../../pcg/architecture.md) section.

docs/docs-content/clusters/data-center/cloudstack/cloudstack.md

@@ -0,0 +1,67 @@
+---
+sidebar_label: "CloudStack"
+title: "Apache CloudStack"
+description: "Learn how to configure Apache CloudStack and create CloudStack clusters in Palette"
+hide_table_of_contents: false
+tags: ["data center", "cloudstack"]
+---
+
+:::preview
+
+This is a Tech Preview feature and is subject to change. Do not use this feature in production workloads. This feature
+is supported in self-hosted Palette only.
+
+:::
+
+Palette supports using [Apache CloudStack](https://cloudstack.apache.org/) as a data center provider. You can deploy
+Kubernetes clusters to your CloudStack environment using Palette.
+
+To make this work, Palette will need a [Private Cloud Gateway (PCG)](../../pcg/pcg.md), which creates a secure
+connection from the internal network to the Palette instance, ultimately bypassing the need to create firewall rules or
+other network configurations allowing external connections to the internal network.
+
+## Get Started
+
+To get started with CloudStack as your target platform for deploying Kubernetes clusters, you need to deploy a PCG in
+your CloudStack environment. The PCG acts as a bridge between your CloudStack environment and Palette, enabling secure
+communication between the two. Start by reviewing the [Deploy a PCG in CloudStack](../../pcg/deploy-pcg/cloudstack.md)
+guide and the [required permissions](required-permissions.md).
+
+:::info
+
+If you are using a self-hosted Palette or VerteX instance, you can skip the PCG deployment and use the System PCG that
+is already available in the instance. Review the [System PCG](../../pcg/architecture.md#system-private-gateway) section
+of the PCG architecture page for more information.
+
+:::
+
+After you have deployed the PCG, you can proceed to [add a CloudStack account](./add-cloudstack-accounts.md), which will
+enable you to [create and manage CloudStack clusters](./create-manage-cloudstack-clusters.md) in Palette.
+
+## Supported Versions
+
+The following versions of Apache CloudStack are supported in Palette.
+
+| **Version** | **Supported**      |
+| ----------- | ------------------ |
+| 4.19.3.0    | :white_check_mark: |
+
+The following versions of Apache Cloud API are supported in Palette.
+
+| **Version** | **Supported**      |
+| ----------- | ------------------ |
+| 0.6.1       | :white_check_mark: |
+
+## Next Steps
+
+- [Review architecture for CloudStack](architecture.md)
+
+- [Review required permissions for CloudStack](required-permissions.md)
+
+- [Deploy a PCG in CloudStack](../../pcg/deploy-pcg/cloudstack.md) or use a
+  [System Private Gateway](../../pcg/architecture.md#system-private-gateway) if you have a self-hosted Palette or VerteX
+  instance with network connectivity to the CloudStack environment.
+
+- [Add CloudStack accounts to Palette](./add-cloudstack-accounts.md)
+
+- [Create and manage CloudStack clusters](create-manage-cloudstack-clusters.md)